IN THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
Listing of Claims: 

1. (Currently Amended) A system for detecting intrusions on a host, comprising: 

a) a sensor for collecting information including events and timestamps from a logfile; and 

b) an analysis engine configured to identify a backward time step in the logfile by 
identifying a first entry for which an associated first log entry time is earlier in time than 
a second log entry time associated with a second log entry entered in the lo gfile prior to 
the first entry, corr e late determine that the backward time step is associated w ith an 
event, and assign a suspicion value to the event based at least in part on the backward 
time step . 

2. (Original) The system as recited in claim 1, wherein the analysis engine is configured to 
identify a time step as forward if a timestamp of an entry in the logfile is later than an 
preceding entry in the logfile, and. identify a time step as backward if a timestamp of an entry 
in the logfile is earlier than an preceding entry in the logfile. 

3. (Currently Amended) The system as recited in claim 1, wherein the analysis engine is further 
configured to use expected activity level in the ^directory to determine the suspicion value. 

4. (Original) The system as recited in claim 1, further comprising a second sensor for collecting 
information including events and timestamps from a second logfile. 

5. (Original) The system as recited in claim 4, wherein the analysis engine is configured to 
correlate a time step in the logfile with an event in the second logfile. 

6. (Original) The system as recited in claim 1, wherein the analysis engine is further configured 
to filter out expected time steps from further analysis. 
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7. (Original) The system as recited in claim 6, wherein the analysis engine is configured to 
filter out expected backward time steps by correlating them to Network Time Protocol 
adjustments. 

8. (Original) The system as recited in claim 6, wherein the analysis engine is further configured 
to compute an expected time drift resulting from a Network Time Protocol adjustment, and 
compare a forward time step in the logfile with the expected time drift. 

9. (Original) The system as recited in claim 8, wherein the analysis engine is further configured 
to compute a standard deviation of the expected time drift. 

10. (Original) The system as recited in claim 9, wherein the analysis engine is further configured 
to label time steps with weighted distributions. 

11. (Original) The system as recited in claim 1, further comprising a user interface, and wherein 
the analysis engine is configured, upon correlating a time step to a record of an event in a 
logfile, to present the record to a user for labeling as to suspicion value. 

12. (Original) The system as recited in claim 11, wherein the analysis engine is further 
configured to propagate the suspicion value to related events. 

13. (Canceled) 

14. (Canceled) 

15. (Canceled) 
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16. (Currently Amended) A method for detecting intrusions on a host, comprising the steps of: 

a) collecting information including events and timestamps from a logfile; 

b) identifying a backward time step in the logfile by identifying a first entry for which an 
associated first log entry time is earlier in time than a second log entry time associated 
with a second log entry entered in the lo gfile prior to the first entry; 

c) corr e lating determining that the backward time step is associated with an event; and 

d) assigning a suspicion value to the event based at least in part on the backward time step . 

17. (Currently Amended) A computer program product for detecting intrusions on a host, the 
computer program product being embodied in a computer readable medium having machine 
readable code embodied therein for performing the steps of: 

a) collecting information including events and timestamps from a logfile; 

b) identifying a backward time step in the logfile by identifying a first entry for which an 
associated first log entry time is earlier in time than a second log entry time associated 
with a second log entry entered in the lo gfile prior to the first entry; 

c) corr e lating determining that the backward time step is associated with an event; and 

d) assigning a suspicion value to the event based at least in part on the backward time step . 
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INTERVIEW SUMMARY UNDER 37 CFR §1,133 AND MPEP §713,04 

A telephonic interview in the above-referenced case was conducted on October 31, 2005 
between the Examiner and the Applicants' undersigned representative. The Office Action 
mailed on July 6, 2005 was discussed. Specifically, the rejections of claim 1 in light of 
Beardsley (U.S. Patent No. 5,471,631) and the proposed amendments set forth herein were 
discussed with the intent to place the claims in better condition for allowance or appeal. 

The Applicants wish to thank the Examiner for his time and attention in this case. 
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